CN117579252A - Information selective disclosure method based on cryptographic technology - Google Patents

Information selective disclosure method based on cryptographic technology Download PDF

Info

Publication number
CN117579252A
CN117579252A CN202311534356.9A CN202311534356A CN117579252A CN 117579252 A CN117579252 A CN 117579252A CN 202311534356 A CN202311534356 A CN 202311534356A CN 117579252 A CN117579252 A CN 117579252A
Authority
CN
China
Prior art keywords
information
issuer
holder
verifier
verifiable
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311534356.9A
Other languages
Chinese (zh)
Inventor
付强
胡凯
邓密密
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan Cric Technology Co ltd
Sichuan Changhong Electronic Holding Group Co Ltd
Original Assignee
Sichuan Cric Technology Co ltd
Sichuan Changhong Electronic Holding Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sichuan Cric Technology Co ltd, Sichuan Changhong Electronic Holding Group Co Ltd filed Critical Sichuan Cric Technology Co ltd
Priority to CN202311534356.9A priority Critical patent/CN117579252A/en
Publication of CN117579252A publication Critical patent/CN117579252A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides an information selective disclosure method based on a cryptographic technology, which comprises the following steps: acquiring original information; the original information includes at least one field; after carrying out cryptographic transformation on the field of the original information, carrying out hash processing on the ciphertext of the field; the hash values of the fields are ordered and combined according to a preset sequence to obtain target information with fixed length; signing the target information based on an issuer; based on the fact that a holder uses a ciphertext mode to display fields needing to be disclosed when selectively disclosing information, and uses the hash of the ciphertext to display the fields needing to be protected; and transmitting a decryption mode of the ciphertext of the public field in a preset transmission mode.

Description

Information selective disclosure method based on cryptographic technology
Technical Field
The invention relates to the technical field of information selective disclosure based on a cryptographic technology, in particular to an information selective disclosure method based on the cryptographic technology.
Background
Citations reflect prior art documents, which specify prior art information to be retrieved or referred to, including historical background and current state of the art, illustrating prior art drawbacks, deficiencies, or disadvantages. Having briefly described and evaluated the background art, the present invention or an object of the present invention, i.e., a task to be solved by the present invention, is presented in connection with the effects achieved by the present invention in view of the closest prior art.
Digital identity generally refers to digital information formed by digitally characterizing an entity, such as personal identification and binding information that can be mapped to the identification one by one. The digital identity can be used as a certificate for proving the authenticity of the identity (attribute) of the digital identity on a network, different digital identities can be used for identification (such as a mobile phone number, an electronic mailbox, a microblog and the like related to a person, a device code related to an object and the like) in different application services, and the identity information can assist a business organization to determine the identity. In the information age, privacy concerns are becoming more and more widespread. The information is selectively disclosed to protect privacy and information security while performing necessary information sharing under specific circumstances. The selective disclosure of information can help to protect privacy and reduce the risk of identity exposure and information leakage. Only the trusted entities or platforms are provided with the necessary information to reduce the risk of misuse, theft or malicious attacks of the information. The selective disclosure is a matter of compliance with the law.
The current more common way of using digital identities is for the holder to present his own digital certificate, which contains all of its attributes and the issuer signature, which reveals all of the attributes of the holder.
Therefore, a method for selectively disclosing information based on cryptographic technology is needed to realize selective disclosure of information by a holder, thereby improving security.
Disclosure of Invention
The invention aims to provide a method and a system for selectively disclosing information based on a cryptographic technology. In order to solve the technical problems existing in the background art.
In order to achieve the above purpose, the present invention adopts the following technical scheme:
a method of selectively disclosing information based on cryptographic techniques, comprising:
acquiring original information; the original information includes at least one field;
after carrying out cryptographic transformation on the field of the original information, carrying out hash processing on the ciphertext of the field;
the hash values of the fields are ordered and combined according to a preset sequence to obtain target information with fixed length;
signing the target information based on an issuer;
based on the fact that a holder uses a ciphertext mode to display fields needing to be disclosed when selectively disclosing information, and uses the hash of the ciphertext to display the fields needing to be protected;
and transmitting a decryption mode of the ciphertext of the public field in a preset transmission mode.
In some embodiments, the method further comprises:
the issuer generates an issuer public and private key pair locally;
the holder locally generates a public and private key pair of the holder;
the verifier generates a verifier public-private key pair locally.
In some embodiments, the method further comprises:
the issuer generates an issuer unique identification on the blockchain-based distributed digital identity system using the issuer public key;
generating a unique identity of the holder on the blockchain-based distributed digital identity system using the holder public key;
the verifier uses the verifier public key to generate a verifier unique identification on the blockchain-based distributed digital identity system.
In some embodiments, the method further comprises:
the issuer is registered as the issuer on a blockchain-based distributed digital identity system;
the issuer registers the issued certificate declaration type on the distributed digital identity system based on the blockchain;
a manager operating the blockchain-based distributed digital identity system verifies the qualification of an issuer in an off-line and on-line mode;
responsive to passing the verification, the issuer becomes an authoritative issuer;
the distributed digital identity system based on blockchain manages the issuer and discloses the information of the existing issuer.
In some embodiments, the method further comprises:
the verifier registers basic information on a distributed digital identity system based on a blockchain;
the distributed digital identity system based on the block chain manages the verifier and discloses the information of the existing verifier.
In some embodiments, the method further comprises:
the holder acquires the published issuer information table, and selects the corresponding issuer to generate the verifiable digital certificate;
the issuer generates a verifiable digital certificate according to the request of the holder;
the holder stores the verifiable digital certificate;
the holder uses the verifiable digital certificate;
when different service systems are used, a holder selectively reveals own attribute information according to the requirements of the service systems;
the verifier verifies the verifiable expression.
In some embodiments, the issuer generating the verifiable digital certificate upon request of the holder comprises:
decrypting the ciphertext of the decryption key information by using an issuer private key of the issuer to obtain the decryption key information;
decrypting the ciphertext of the attribute value by using the decryption key information to obtain original attribute information;
performing on-line or off-line verification on the original attribute information;
returning an error prompt in response to the verification failing;
in response to passing the verification, adding other information that can verify the digital voucher;
performing secure hash processing on each field;
the hash values of the fields are combined according to a preset sequence and then hash processing is carried out to generate data with fixed length;
the issuer signs by using the private key of the issuer;
the generated verifiable digital certificate is returned to the holder.
In some embodiments, the selectively exposing the attribute information of the holder according to the requirement of the service system includes:
for the information to be disclosed, an encryption algorithm for generating a field recorded when the digital certificate can be verified and a cipher text of a key generation attribute value are used;
for information which does not need to be disclosed, an encryption algorithm of a field recorded when the verifiable digital certificate is generated and a cipher text of an attribute value is generated by using a secret key, and then the attribute value is replaced by a hash value after secure hash;
the digital certificate and other information can be verified to keep original text;
acquiring basic information of a verifier on a distributed digital identity system based on a blockchain;
the fields of the disclosure information, the corresponding encryption algorithm and the key, and the fields which are not disclosure are formed into decryption key information;
encrypting the decryption key information by using a verifier public key of a verifier to generate a decryption key information ciphertext;
signing the selectively revealed verifiable digital certificate with a holder private key of the holder to generate a verifiable expression;
the verifiable expression is sent to a service address in the DID doc verifier.
In some embodiments, the signing the selectively revealed verifiable digital credential using the holder's holder private key comprises:
generating a secure hash of each field;
the hash of each field is combined according to the preset, and then the hash is carried out to generate a fixed length;
the holder then signs using the holder private key.
In some embodiments, the verifier verifying a verifiable expression comprises:
the verifier verifies whether the signature of the verifiable expression is consistent by using a verification algorithm in the verifiable expression;
responding to the inconsistency, and returning an error prompt;
responsive to agreement, the verifier obtains a selectively revealed verifiable digital credential from the verifiable expression verifying whether the signature of the verifiable expression is agreed;
responding to the inconsistency, and returning an error prompt;
in response to the coincidence, decrypting the encrypted text of the decryption key information by using a verifier private key of a verifier to obtain the decryption key information;
the verifier uses the decryption key information to decrypt the corresponding revealed field for relevant business operations.
Meanwhile, the invention also discloses an information selective disclosure system based on the cryptographic technology, which comprises:
the acquisition module is used for acquiring the original information; the original information includes at least one field;
the processing module is used for carrying out cryptographic transformation on the field of the original information and then carrying out hash processing on the ciphertext of the field;
the ordering module is used for ordering and combining the hash values of the fields according to a preset sequence to obtain target information with fixed length;
a signature module for signing the target information based on an issuer;
the display module is used for displaying the fields needing to be disclosed in a ciphertext mode based on the fact that a holder selectively reveals information, and displaying the fields needing to be protected in a ciphertext hash mode;
and the transmission module is used for transmitting the decryption mode of the public field ciphertext in a preset transmission mode.
Meanwhile, the invention also discloses an information selective disclosure device based on the cryptographic technology, which comprises a processor and a memory; the memory is configured to store instructions that, when executed by the processor, cause the apparatus to implement the cryptographic technique based information selective disclosure method of any of the above.
The invention also discloses a computer readable storage medium, which stores computer instructions, and when the computer reads the computer instructions in the storage medium, the computer runs the information selective disclosure method based on the cryptographic technique.
Advantageous effects
Compared with the prior art, the invention has the remarkable advantages that:
the scheme of the invention provides a safer improvement mode based on the existing selective disclosure method. The scheme of the invention introduces the cryptography technology, after carrying out the cryptography transformation on each field of the original information, carrying out the hash on the ciphertext of each field, then combining the hashes of each field according to a certain sequence (according to the field sequence or according to the sequence of the hash result) to regenerate a fixed length (such as rehash), and finally re-signing by an issuer, wherein a holder displays the field needing to be disclosed in a ciphertext mode when selectively disclosing the information, displays the field needing to be protected in a ciphertext hash mode, and simultaneously transmits the decryption mode of the ciphertext of the public field in a safe mode. The scheme of the invention avoids attack modes such as rainbow table and the like through the enlarged information space of the password conversion. And provides a basic use flow. By means of the scheme, the safety of selective information disclosure can be greatly improved.
Drawings
FIG. 1 is a schematic diagram of a system for selectively disclosing information based on cryptographic techniques according to this embodiment;
FIG. 2 is a flow chart of a method for selectively disclosing information based on cryptographic techniques according to the present embodiment;
fig. 3 is a schematic diagram of a hash generation process of original information according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of selective disclosure information composed of disclosure fields and non-disclosure fields according to an embodiment of the present invention;
fig. 5 is a schematic diagram of a hash generation process of a selective disclosure message track according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.
On the contrary, the application is intended to cover any alternatives, modifications, equivalents, and variations as may be included within the spirit and scope of the application as defined by the appended claims. Further, in the following detailed description of the present application, specific details are set forth in order to provide a more thorough understanding of the present application. The present application will be fully understood by those skilled in the art without a description of these details.
A detailed description of a method and system for selectively disclosing information based on cryptographic techniques according to embodiments of the present application will be provided below with reference to fig. 1-5. It is noted that the following examples are only for explaining the present application and are not limiting of the present application.
Example 1
As shown in fig. 1, a schematic diagram of a cryptographic technology based information selective disclosure system 100 according to the present embodiment, as shown in fig. 1, the cryptographic technology based information selective disclosure system 100 includes:
an acquisition module 110, configured to acquire original information; the original information includes at least one field;
the processing module 120 is configured to perform a hash process on the ciphertext of the field after performing a cryptographic transformation on the field of the original information;
the sorting module 130 is configured to sort and combine the hash values of the fields according to a preset order, so as to obtain target information with a fixed length;
a signature module 140 for signing the target information based on an issuer;
the display module 150 is configured to display the field to be disclosed in a ciphertext manner when the holder selectively reveals information, and display the field to be protected in a hash manner using the ciphertext;
the transmission module 160 is configured to transmit a decryption manner of the public field ciphertext in a preset transmission manner.
It should be noted that the above description of the cryptographic based information selective disclosure system and its modules is for descriptive convenience only and is not intended to limit the present disclosure to the scope of the illustrated embodiments. It will be appreciated by those skilled in the art that, given the principles of the system, various modules may be combined arbitrarily or a subsystem may be constructed in connection with other modules without departing from such principles. In some embodiments, the acquisition module 110 and the processing module 120 disclosed in fig. 1 may be different modules in a system, or may be one module to implement the functions of two or more modules. For example, each module may share one memory module, or each module may have a respective memory module. Such variations are within the scope of the present description.
Fig. 2 is a schematic diagram showing a flow 200 of a method for selectively disclosing information based on cryptographic techniques according to this embodiment. In some embodiments, the process 200 may be performed by the selective disclosure system 100 based on information of cryptographic technology. As shown in fig. 2, the process 200 includes:
step 210, obtaining original information; the original information includes at least one field;
step 220, after performing cryptographic transformation on the field of the original information, performing hash processing on the ciphertext of the field;
step 230, sorting and combining the hash values of the fields according to a preset sequence to obtain target information with fixed length;
step 240, signing the target information based on an issuer;
step 250, based on the holder, when selectively disclosing information, displaying the field to be disclosed in a ciphertext mode, and displaying the field to be protected in a ciphertext hash mode;
step 260, transmitting the decryption mode of the public field ciphertext in a preset transmission mode.
The implementation of the scheme involves 3 roles, namely an issuer, a holder and a verifier. In some embodiments, the method further comprises:
the issuer generates an issuer public and private key pair locally; the holder locally generates a public and private key pair of the holder; the verifier generates a verifier public-private key pair locally.
For example, the issuer locally generates its own Public-Private key pair (Public key: public issuer, private key: private issuer); the holder locally generates own Public-Private key pairs (Public key: public holder, private key: private holder); the verifier generates its own Public-Private key pair locally (Public key: public verifier, private key: private verifier).
In some embodiments, the method further comprises:
the issuer generates an issuer unique identification on the blockchain-based distributed digital identity system using the issuer public key; generating a unique identity of the holder on the blockchain-based distributed digital identity system using the holder public key; the verifier uses the verifier public key to generate a verifier unique identification on the blockchain-based distributed digital identity system.
For example, an issuer uses its own Public key (Public issuer) to generate a unique identification on a blockchain-based distributed digital identity system: a DID issuer; the holder uses its own Public key (Public holder) to generate a unique identity on the blockchain-based distributed digital identity system: a DID holder; the verifier uses its own Public key (Public verifier) to generate a unique identity on the blockchain-based distributed digital identity system: DID verifier.
In some embodiments, the method further comprises:
the issuer is registered as the issuer on a blockchain-based distributed digital identity system; the issuer registers the issued certificate declaration type on the distributed digital identity system based on the blockchain; a manager operating the blockchain-based distributed digital identity system verifies the qualification of an issuer in an off-line and on-line mode; responsive to passing the verification, the issuer becomes an authoritative issuer; the distributed digital identity system based on blockchain manages the issuer and discloses the information of the existing issuer.
For example, an issuer registers a type of credential claims (Claim Protocol Type, CPT for short) that may be issued on a blockchain-based distributed digital identity system, where the fields for credential support are primarily contained (e.g., identity CPT contains: name, birth year, month, etc., and academic CPT contains: name, academic, etc.). The manager operating the blockchain-based distributed digital identity system verifies the qualification of the issuer in an off-line and on-line mode, and after verification, the issuer becomes an authoritative issuer. Blockchain-based distributed digital identity system management issuers, disclosing existing issuer information: the DID issuer, the CPT the issuer registered, the DID doc issuer (including Public key: public issuer, supported encryption algorithm, service address), optional remark information (describing issuer information).
In some embodiments, the method further comprises:
the verifier registers basic information on a distributed digital identity system based on a blockchain; the distributed digital identity system based on the block chain manages the verifier and discloses the information of the existing verifier.
For example, a verifier registers its own basic information on a blockchain-based distributed digital identity system. Block chain based distributed digital identity system management verifier, disclosing existing verifier information: DID verifier, DID doc verifier (comprising Public key: public verifier, supported encryption algorithm, service address), optional remark information (describing verifier).
In some embodiments, the method further comprises:
the holder acquires the published issuer information table, and selects the corresponding issuer to generate the verifiable digital certificate; the issuer generates a verifiable digital certificate according to the request of the holder; the holder stores the verifiable digital certificate; the holder uses the verifiable digital certificate; when different service systems are used, a holder selectively reveals own attribute information according to the requirements of the service systems; the verifier verifies the verifiable expression.
For example, the holder obtains a public issuer information table, selects a corresponding issuer for generation of verifiable digital certificates (Verifiable Credential, VC for short), including:
firstly, preparing corresponding information (such as names, birth year and month and the like contained in an identity CPT) by a holder according to the CPT registered by an issuer; the holder selects the encryption algorithm and the secret key of the field of the CPT corresponding information registered by the issuer according to the information in the DID doc issuer and the security requirement (different fields can adopt different encryption algorithms and secret keys, and the encryption can be regarded as a special encryption mode), and the information needs to be shared, so the encryption algorithm is a symmetrical encryption algorithm. Meanwhile, the DID issuer, CPT registered by the issuer, fields in CPT and encryption algorithm and key used by the fields in CPT are recorded locally; the holder encrypts different fields according to the selection of the previous step to generate the ciphertext of the field attribute value. The encryption algorithm and the secret key used by the field in the CPT and the field attribute value in the CPT are used by the public key in the DID doc issuer information: the Public holder carries out asymmetric encryption to generate ciphertext for decrypting the key information; and sending the ciphertext of the decrypted key information, all the fields and the ciphertext of the field attribute values to a service address in the DID doc issuer information, and waiting for the issuer to generate a verifiable digital certificate (Verifiable Credential, VC for short).
In some embodiments, the issuer generating the verifiable digital certificate upon request of the holder comprises:
decrypting the ciphertext of the decryption key information by using an issuer private key of the issuer to obtain the decryption key information; decrypting the ciphertext of the attribute value by using the decryption key information to obtain original attribute information; performing on-line or off-line verification on the original attribute information; returning an error prompt in response to the verification failing; in response to passing the verification, adding other information that can verify the digital voucher; performing secure hash processing on each field; the hash values of the fields are combined according to a preset sequence and then hash processing is carried out to generate data with fixed length; the issuer signs by using the private key of the issuer; the generated verifiable digital certificate is returned to the holder.
For example, using the issuer's private key: the Private issuer decrypts the ciphertext of the decryption key information to obtain the decryption key information, and decrypts the ciphertext of the attribute value by using the decryption key information to obtain the original attribute information; and carrying out on-line or off-line verification on the original attribute information. Verification is not passed and an error is returned. The verification is passed to the next step; adding other information of verifiable digital certificates (Verifiable Credential, VC for short), such as information of an attribute field, ciphertext thereof, CPT information, issuing time, expiration time, unique identification ID of the VC, DID of an issuer, a verification algorithm and the like; each field is hashed securely (see fig. 3, additional information plaintext added), then the hashes of each field are combined in a certain order (ordered by field order or hash result), then hashed to generate a fixed length, and finally the issuer re-uses the private key: the Private holder signs. The generated verifiable digital certificate (Verifiable Credential, VC for short) is returned to the holder. The VC contains information such as an attribute field, ciphertext, CPT information, issuance time, expiration time, unique identification ID of the VC, issuer DID, signature, authentication algorithm, etc.
In some embodiments, the selectively exposing the attribute information of the holder according to the requirement of the service system includes: for the information to be disclosed, an encryption algorithm for generating a field recorded when the digital certificate can be verified and a cipher text of a key generation attribute value are used; for information which does not need to be disclosed, an encryption algorithm of a field recorded when the verifiable digital certificate is generated and a cipher text of an attribute value is generated by using a secret key, and then the attribute value is replaced by a hash value after secure hash; the digital certificate and other information can be verified to keep original text; acquiring basic information of a verifier on a distributed digital identity system based on a blockchain; the fields of the disclosure information, the corresponding encryption algorithm and the key, and the fields which are not disclosure are formed into decryption key information; encrypting the decryption key information by using a verifier public key of a verifier to generate a decryption key information ciphertext; signing the selectively revealed verifiable digital certificate with a holder private key of the holder to generate a verifiable expression; the verifiable expression is sent to a service address in the DID doc verifier.
FIG. 4 is a schematic diagram of selective disclosure information composed of disclosure and non-disclosure fields according to an embodiment of the present invention. For example, for information that needs to be disclosed, an encryption algorithm for a field recorded when generating a verifiable digital certificate (Verifiable Credential, VC for short) and a ciphertext of a key generation attribute value (consistent with the ciphertext of the verifiable digital certificate (Verifiable Credential, VC for short), may also be cached in advance); for information which does not need to be disclosed, an encryption algorithm for generating a field recorded when a verifiable digital certificate (Verifiable Credential, VC for short) and a cipher text for generating an attribute value by using a key are used, and then the attribute value is replaced by a hash value through secure hash, so that the information can be cached in advance; the digital certificate (Verifiable Credential, VC for short) can be verified and other original texts can be kept. Obtaining basic information of a verifier on a distributed digital identity system based on a blockchain: DID validator, DID doc validator (comprising Public key: public validator, supported encryption algorithm, service address), optional remark information; the fields of the disclosure information, the corresponding encryption algorithm and key, and the fields not disclosed constitute the decryption key information. Using the public key of the verifier: the Public verifier encrypts the decryption key information to generate a decryption key information ciphertext. The selectively revealed verifiable digital certificate (Verifiable Credential, VC) is signed using the holder's Private key Private to generate a verifiable expression (Verifiable Presentation, VP). The verifiable expression (Verifiable Presentation, VP for short) contains information such as VC, signature algorithm, verification algorithm, holding DID, holder public key, creation time, decrypting key information ciphertext, etc. after selective disclosure. The signature mode is as follows: firstly, generating a secure hash of each field (hash values are used without the disclosed information, and are skipped here), then combining the hashes of each field in a certain order (ordered by field order or by hash result), then generating a fixed length by hashing, and finally, using the private key by the holder: the Private holder signs. A verifiable expression (Verifiable Presentation, VP for short) is sent to the service address in the DID doc verifier.
Fig. 5 is a schematic diagram of a hash generation process of a selective disclosure message track according to an embodiment of the present invention. In some embodiments, the signing the selectively revealed verifiable digital credential using the holder's holder private key comprises: generating a secure hash of each field; the hash of each field is combined according to the preset, and then the hash is carried out to generate a fixed length; the holder then signs using the holder private key.
In some embodiments, the verifier verifying a verifiable expression comprises: the verifier verifies whether the signature of the verifiable expression is consistent by using a verification algorithm in the verifiable expression; responding to the inconsistency, and returning an error prompt; responsive to agreement, the verifier obtains a selectively revealed verifiable digital credential from the verifiable expression verifying whether the signature of the verifiable expression is agreed; responding to the inconsistency, and returning an error prompt; in response to the coincidence, decrypting the encrypted text of the decryption key information by using a verifier private key of a verifier to obtain the decryption key information; the verifier uses the decryption key information to decrypt the corresponding revealed field for relevant business operations.
For example, the verifier verifies whether the signature of the VP is consistent (the final hash is generated in the same way as compared with the original signature decrypted using the Public holder), if not, an error is returned, otherwise, the verifier proceeds to the next step to obtain a selectively revealed verifiable digital certificate (Verifiable Credential, VC for short) from the VP to verify whether the signature of the VC is consistent (the final hash is generated in the same way as the VC is generated, compared with the original signature decrypted using the Public issuer), if not, an error is returned, otherwise, the next step is performed, using the private key of the verifier: the Private verifier decrypts the ciphertext of the decryption key information to obtain the decryption key information, and the verifier uses the decryption key information to decrypt the corresponding disclosed field and then can perform related business operation.
Meanwhile, the invention also discloses an information selective disclosure device based on the cryptographic technology, which comprises a processor and a memory; the memory is configured to store instructions that, when executed by the processor, cause the apparatus to implement the cryptographic technique based information selective disclosure system of any of the above.
The invention also discloses a computer readable storage medium, which stores computer instructions, and when the computer reads the computer instructions in the storage medium, the computer runs the information selective disclosure system based on the cryptographic technology.
In summary, the technical scheme of the invention provides a safer improvement mode based on the existing selective disclosure method. According to the technical scheme, a cryptography technology is introduced, after the fields of the original information are subjected to cryptography transformation, the ciphertext of each field is hashed, then the hashes of the fields are combined according to a certain sequence (according to the field sequence or according to the hash result order) to regenerate a fixed length (such as rehash), finally the issuer signs again, a holder displays the fields needing to be disclosed in a ciphertext mode when selectively disclosing the information, the fields needing to be protected are displayed in a ciphertext hash mode, and meanwhile the decrypting mode of the ciphertext of the public fields is transmitted in a safe mode. The security of selective information disclosure can be greatly improved by the method.
The foregoing description of the preferred embodiments of the invention is not intended to be limiting, but rather is intended to cover all modifications, equivalents, and alternatives falling within the spirit and principles of the invention.

Claims (10)

1. A method for selectively disclosing information based on cryptographic techniques, comprising:
acquiring original information; the original information includes at least one field;
after carrying out cryptographic transformation on the field of the original information, carrying out hash processing on the ciphertext of the field;
the hash values of the fields are ordered and combined according to a preset sequence to obtain target information with fixed length;
signing the target information based on an issuer;
based on the fact that a holder uses a ciphertext mode to display fields needing to be disclosed when selectively disclosing information, and uses the hash of the ciphertext to display the fields needing to be protected;
and transmitting a decryption mode of the ciphertext of the public field in a preset transmission mode.
2. The method according to claim 1, wherein the method further comprises:
the issuer generates an issuer public and private key pair locally;
the holder locally generates a public and private key pair of the holder;
the verifier generates a verifier public-private key pair locally.
3. The method according to claim 2, wherein the method further comprises:
the issuer generates an issuer unique identification on the blockchain-based distributed digital identity system using the issuer public key;
generating a unique identity of the holder on the blockchain-based distributed digital identity system using the holder public key;
the verifier uses the verifier public key to generate a verifier unique identification on the blockchain-based distributed digital identity system.
4. A method according to claim 3, characterized in that the method further comprises:
the issuer is registered as the issuer on a blockchain-based distributed digital identity system;
the issuer registers the issued certificate declaration type on the distributed digital identity system based on the blockchain;
a manager operating the blockchain-based distributed digital identity system verifies the qualification of an issuer in an off-line and on-line mode;
responsive to passing the verification, the issuer becomes an authoritative issuer;
the distributed digital identity system based on blockchain manages the issuer and discloses the information of the existing issuer.
5. The method according to claim 4, wherein the method further comprises:
the verifier registers basic information on a distributed digital identity system based on a blockchain;
the distributed digital identity system based on the block chain manages the verifier and discloses the information of the existing verifier.
6. The method of claim 5, wherein the method further comprises:
the holder acquires the published issuer information table, and selects the corresponding issuer to generate the verifiable digital certificate;
the issuer generates a verifiable digital certificate according to the request of the holder;
the holder stores the verifiable digital certificate;
the holder uses the verifiable digital certificate;
when different service systems are used, a holder selectively reveals own attribute information according to the requirements of the service systems;
the verifier verifies the verifiable expression.
7. The method of claim 6, wherein the issuer generating verifiable digital certificates upon request of a holder comprises:
decrypting the ciphertext of the decryption key information by using an issuer private key of the issuer to obtain the decryption key information;
decrypting the ciphertext of the attribute value by using the decryption key information to obtain original attribute information;
performing on-line or off-line verification on the original attribute information;
returning an error prompt in response to the verification failing;
in response to passing the verification, adding other information that can verify the digital voucher;
performing secure hash processing on each field;
the hash values of the fields are combined according to a preset sequence and then hash processing is carried out to generate data with fixed length;
the issuer signs by using the private key of the issuer;
the generated verifiable digital certificate is returned to the holder.
8. The method of claim 7, wherein the selectively exposing the own attribute information by the holder according to the needs of the business system comprises:
for the information to be disclosed, an encryption algorithm for generating a field recorded when the digital certificate can be verified and a cipher text of a key generation attribute value are used;
for information which does not need to be disclosed, an encryption algorithm of a field recorded when the verifiable digital certificate is generated and a cipher text of an attribute value is generated by using a secret key, and then the attribute value is replaced by a hash value after secure hash;
the digital certificate and other information can be verified to keep original text;
acquiring basic information of a verifier on a distributed digital identity system based on a blockchain;
the fields of the disclosure information, the corresponding encryption algorithm and the key, and the fields which are not disclosure are formed into decryption key information;
encrypting the decryption key information by using a verifier public key of a verifier to generate a decryption key information ciphertext;
signing the selectively revealed verifiable digital certificate with a holder private key of the holder to generate a verifiable expression;
the verifiable expression is sent to a service address in the DID doc verifier.
9. The method of claim 8, wherein signing the selectively revealed verifiable digital credential using a holder private key of a holder comprises:
generating a secure hash of each field;
the hash of each field is combined according to the preset, and then the hash is carried out to generate a fixed length;
the holder then signs using the holder private key.
10. The method of claim 8, wherein the verifier verifying a verifiable expression comprises:
the verifier verifies whether the signature of the verifiable expression is consistent by using a verification algorithm in the verifiable expression;
responding to the inconsistency, and returning an error prompt;
responsive to agreement, the verifier obtains a selectively revealed verifiable digital credential from the verifiable expression verifying whether the signature of the verifiable expression is agreed;
responding to the inconsistency, and returning an error prompt;
in response to the coincidence, decrypting the encrypted text of the decryption key information by using a verifier private key of a verifier to obtain the decryption key information;
the verifier uses the decryption key information to decrypt the corresponding revealed field for relevant business operations.
CN202311534356.9A 2023-11-17 2023-11-17 Information selective disclosure method based on cryptographic technology Pending CN117579252A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311534356.9A CN117579252A (en) 2023-11-17 2023-11-17 Information selective disclosure method based on cryptographic technology

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311534356.9A CN117579252A (en) 2023-11-17 2023-11-17 Information selective disclosure method based on cryptographic technology

Publications (1)

Publication Number Publication Date
CN117579252A true CN117579252A (en) 2024-02-20

Family

ID=89885617

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311534356.9A Pending CN117579252A (en) 2023-11-17 2023-11-17 Information selective disclosure method based on cryptographic technology

Country Status (1)

Country Link
CN (1) CN117579252A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20230283466A1 (en) * 2022-03-07 2023-09-07 Hitachi Solutions, Ltd. Content protection system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20230283466A1 (en) * 2022-03-07 2023-09-07 Hitachi Solutions, Ltd. Content protection system
US12432061B2 (en) * 2022-03-07 2025-09-30 Hitachi Solutions, Ltd. Content protection system

Similar Documents

Publication Publication Date Title
ES2881289T3 (en) Method to manage a trusted identity
KR101999188B1 (en) Secure personal devices using elliptic curve cryptography for secret sharing
US6834112B1 (en) Secure distribution of private keys to multiple clients
CN113811874B (en) Encrypted data verification method
US20110145576A1 (en) Secure method of data transmission and encryption and decryption system allowing such transmission
KR20000075650A (en) Administration and utilization of secret fresh random numbers in a networked environment
CN110188551B (en) Policy encryption transmission method and system
CN102075544A (en) Encryption system, encryption method and decryption method for local area network shared file
CN106302312A (en) Obtain the method and device of e-file
JPH09505711A (en) Computer network encryption key distribution system
CN112564906A (en) Block chain-based data security interaction method and system
CN117335989A (en) Safety application method in internet system based on national cryptographic algorithm
CN110597836A (en) Information query request response method and device based on block chain network
CN101296083A (en) An encrypted data transmission method and system
US12574230B2 (en) Methods and arrangements for establishing digital identity
CN110189184A (en) A kind of electronic invoice storage method and device
JP4250429B2 (en) Chained signature creation device and control method thereof
JPH0962596A (en) Email system
WO2026037121A1 (en) Quantum-resistant security enhancement method for simple authentication and security layer protocol
CN107947939A (en) Support the PDF endorsement methods and system of SM3 cryptographic Hash algorithm and SM2 Digital Signature Algorithms
CN114866244A (en) Controllable anonymous authentication method, system and device based on ciphertext block chaining encryption
CN115396096B (en) Encryption and decryption method and protection system for secret files based on national secret algorithm
CN109347923A (en) Anti- quantum calculation cloud storage method and system based on unsymmetrical key pond
CN110572257B (en) Identity-based data source identification method and system
CN117579252A (en) Information selective disclosure method based on cryptographic technology

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination